vijaykatam
commented
4 years ago hi @sethev these are all CVEs with openssl, the final image does not have openssl installed.
Closed sethev closed 4 years ago
vijaykatam
commented
4 years ago hi @sethev these are all CVEs with openssl, the final image does not have openssl installed.
sethev
commented
4 years ago It seems to be installed:
C02ZP44RMD6R:~ sv050971$ docker run -it gcr.io/heptio-images/gangway:v3.2.0 sh
/ $ apk list | grep openssl
WARNING: Ignoring APKINDEX.00740ba1.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.d8b2a6f4.tar.gz: No such file or directory
libssl1.1-1.1.1c-r0 x86_64 {openssl} (OpenSSL) [installed]
libcrypto1.1-1.1.1c-r0 x86_64 {openssl} (OpenSSL) [installed]I don't see it fixed in latest build either so re-tagging won't help.
vijaykatam
commented
4 years ago Hi @fanzhangio - We could fix by using debian base images similar to our internal build. Could you raise a PR?
fanzhangio
commented
4 years ago Hi @fanzhangio - We could fix by using debian base images similar to our internal build. Could you raise a PR?
Sure, I will send a PR replacing the https://github.com/heptiolabs/gangway/blob/master/Dockerfile#L16 with debian as we build internally.
vijaykatam
commented
4 years ago I would replace the image for compiling as well.
sethev
commented
4 years ago It looks like 3 (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563) of these were fixed on 9/12 which is after the last release: https://git.alpinelinux.org/aports/commit/?id=09a199deeac384bd1f22bb26c2ec5b3bd60257a2
debian would work fine too, though, especially if that's what your building with internally
stevesloka
commented
4 years ago Fixed in #159
It looks like there are 5 CVEs open in gcr.io/heptio-images/gangway:v3.2.0: